Woburn, MA – March 18, 2024 – Today Kaspersky announced that it has assisted an INTERPOL-coordinated action, which has led to Brazilian authorities arresting five administrators behind a Grandoreiro banking trojan operation. According to conservative estimates, the banking trojan operators are believed to have defrauded victims of more than 3.5 million euros.
Grandoreiro is a Brazil-originated
banking trojan, which, according to Kaspersky data, has been active since at
least 2016. Attacks using Grandoreiro frequently start with a spearphishing
email written in Spanish, Portuguese or English. Once installed on a
victim machine, the trojan tracks keyboard inputs, simulates mouse activity,
shares screens, collecting data such as usernames, operating system information,
device runtime and, most importantly, bank identifiers. With full control over
victims’ bank accounts, criminals empty them, sending funds through a money
mule network to launder the illicit proceeds.
The trojan has many
versions, which might indicate that different operators are involved in the
development of the malware, with Kaspersky
experts having seen Grandoreiro operating as a Malware-as-a-Service
(MaaS) project. The prolific banking
malware has targeted more than 900 financial institutions in more than 40
countries in North
and Latin America, and Europe.
As part of the current joint effort, Kaspersky, along with INTERPOL’s other private partners, contributed to the analysis of Grandoreiro malware samples, gathered by Brazilian and Spanish national cybercrime investigations between 2020 and 2022. In 2020-2022, Kaspersky products detected 150,000 attacks with the use of Grandoreiro banking trojan on 40,000 users worldwide. Brazil, Spain, Mexico, Portugal, Argentina, and the USA turned out to be the most affected countries.
As a result, by August 2023, analytical reports had been produced that had identified overlaps between the samples, allowing investigators to close in on the organized crime group.
“We have been witnessing Grandoreiro’s campaigns since at least 2016. Over the time, the attackers have been regularly improving techniques, striving to stay undetected and active for longer periods of time,” said Fabio Assolini, head of the Latin American Global Research and Analysis Team (GReAT) at Kaspersky. “In these circumstances, it is extremely important for financial institutions to stay vigilant while also improving their anti-fraud technologies and threat intelligence data. Greater synergy between private and public partners is also pivotal for combatting against such cybercrimes and ensuring a safer environment for users and organizations worldwide.”
“This operational success vividly underscores the importance of sharing intelligence through INTERPOL, and why we are committed to acting as a bridge between public and private sectors,” said Craig Jones, director of INTERPOL’s cybercrime unit. “It also sets the stage for further cooperation in the region.”
As trojan families like Grandoreiro have been actively expanding abroad, Kaspersky experts expect to see increased exploitation of mobile banking trojans. According to the company’s predictions for crimeware and financial threats in 2024, we might see Brazilian banking trojans trying to fill the void left by desktop banking trojans, with the resurgence of these trojans becoming one of trends dominating the financial threat landscape this year.
About Kaspersky
Kaspersky is a global cybersecurity and digital privacy company founded in
1997. Kaspersky’s deep threat intelligence and security expertise is constantly
transforming into innovative solutions and services to protect businesses,
critical infrastructure, governments and consumers around the globe. The
company’s comprehensive security portfolio includes leading endpoint protection,
specialized security products and services, as well as Cyber
Immune solutions to fight sophisticated and evolving digital threats.
Over 400 million users are protected by Kaspersky technologies and we help over
220,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.